Hello,
On the forum, I can find many informations about the ARP problem "Unsolicited ARP received by the client". Only, we have a specific network organization, and specific parameter on the client computer.
We have two routers Cisco in Actif / Passive mode (HSRP protocole), theses routers communicate with the client computer by a virtual gateway.
On the client computer, we have Wifi and ethernet interfaces enabled and connected. When the Wifi and Ethernet interfaces use the same VLAN, we receive a message from SEP Client "Spoofing MAC from the virtual gateway". On the SEPM server, we have in the log "Spoofing MAC" for a specific laptop with a occurrence number (between 1 and 5).
For example, in the first time, the laptop uses the wifi connection. When we connect the laptop on the Ethernet connection, we receive the spoofing message two or three minutes after this connection.
With Wireshark, we can see the ARP request "Who has" and the answer "Is at". In the ARP table from Wifi and Ethernet interfaces, we have just the static information and one or two dynamic information. In the dynamic information, we have the MAC and the IP from virtual gateway.
In the log from Wireshark, we don't have the Follow option (TCP / UDP stream) to follow the Request and this ACK.
For ARP request 'Who IS", do we have a timeout ?
For exemple, if the "IS AT" isn't received after a specific timeout, the client computer might think that this request is lost. It might cancel this request and send out another resquest "Who IS". The Spoofing ARP might come from old answer 'IS at", the client computer might consider this old answer like a spoofing mac.
What do you think about this example ? perhaps, true or totally false for you
Any idea ?
Thanks very much,
Eric